MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual 195
In EAP security-mode, the Orbit will block all traffic on the Ethernet port but will still capture EAP
frames. These EAP frames are then forwarded via RADIUS protocol to the configured RADIUS server.
The Orbit is agnostic to the EAP method used between the Peer and RADIUS, so any EAP method can be
used at the peer and RADIUS server (e.g. EAP-TLS). If the RADIUS server can successfully
authenticate the peer connected to the Ethernet port, then it will send a RADIUS-ACCEPT message to the
Orbit. When that message is received the Orbit stops blocking traffic on the Ethernet port.
In MAB security-mode, the Orbit will block all traffic on the Ethernet port but it still captures Ethernet
frame headers so that it can read the source MAC address of ingress traffic. The Orbit sends RADIUS
PAP (Password Authentication Protocol) requests for each MAC address that it captures until it receives a
RADIUS-ACCEPT message from the RADIUS server. When the RADIUS-ACCEPT message is
received the Orbit stops blocking traffic on the Ethernet port. The PAP requests are created with the
following attributes:
Username: the MAC address, without punctuation, of the peer device connected to Ethernet port.
Example: 00063d089883
Password: an encrypted version of the Username
Calling-Station-Id: the same as the Username but with hyphens.
Example: 00-06-3d-08-98-83
In both security-modes, the NAS-IP address in the RADIUS request can be static or dynamic. A static
NAS-IP is used when the Orbit’s RADIUS configuration contains the NAS settings. If the static NAS
settings are not set, the Orbit uses one its IP addresses that is able to route to the RADIUS server’s
address.
Configuring
Configuration of port authentication first requires a RADIUS server configuration to be added to the
Orbit. For example:
% set system mds-radius servers MyServer address 192.168.10.100 shared-secret
RadiusSharedSecret
% commit
Port authentication can now be enabled on an Ethernet port. For example:
% set interfaces interface ETH1 security security-mode EAP radius-server
MyServer
% commit
Ethernet security settings are not set by default so Ethernet traffic is unobstructed until security is
enabled. Ethernet security settings include:
security-mode – either EAP, MAB, or none
radius-server – The name of a RADIUS server configuration in system settings
Monitoring
Read-only parameters for Ethernet ports show the state of the security on the port:
run show interfaces-state interface ETH1 security
To Next Page
Loading...
Need help?
General
